Some hackers are reportedly using the Dogecoin blockchain network towards the deployment of attacks against cloud servers. It was revealed by cybersecurity researchers at Intezer that a new malware used by the hackers depend on the blockchain network.
According to a new study by the researchers, the hackers are actively expanding a malware payload known as Doki. The hackers use a botnet known as Ngrok for the deployment of Doki. Doki, an entirely undetected backdoor, abuses the Dogecoin blockchain uniquely towards the generation of its C2 domain address and breaches cloud servers, said the report.
Unfortunately, none of the 60 malware detection engines in VirusTotal has been able to detect Doki since the first analysis in January this year. The malware uses the domain addresses in searching additional vulnerable cloud servers within the victim’s network.
“A technique that has become popular is the abuse of misconfigured Docker API ports, where attackers scan for publicly accessible Docker servers and exploit them in order to set up their own containers and execute malware on the victim’s infrastructure,” said the researchers.
The report noted that the hackers had control over the address the malware would reach out to by the transfer of a certain amount of Dogecoin from his or her wallet. Hence, the hackers have the opportunity to control how many coins to transfer, when to transfer, as well as switch the domain accordingly.
The use of Dogecoin for the deployment of malware that is not related to cryptocurrency can be quite resilient to both law enforcement and security products, said Intezer. This is why they could not detect the malware for more than six months, despite uploading it to the VirusTotal database earlier this year.
It is unfortunate that the researchers said the Ngrok Botnet campaign has been ongoing for more than two years and is rather effective. Likewise, the operation of Doki continues to evolve, quite dangerous as it gains full control of the victim’s infrastructure.
Intezer advised firms and individuals who own container servers in the cloud to fix configurations towards preventing exposure.